pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/lang/ruby24-base lang/ruby24-base: Add security patch ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/0e6d3bb00ceb
branches:  trunk
changeset: 393053:0e6d3bb00ceb
user:      taca <taca%pkgsrc.org@localhost>
date:      Tue Mar 12 04:23:45 2019 +0000

description:
lang/ruby24-base: Add security patch for rubygems

Add security patch for rubygems, fixing these problem.

* CVE-2019-8320: Delete directory using symlink when decompressing tar
* CVE-2019-8321: Escape sequence injection vulnerability in verbose
* CVE-2019-8322: Escape sequence injection vulnerability in gem owner
* CVE-2019-8323: Escape sequence injection vulnerability in API response handlin
g
* CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
* CVE-2019-8325: Escape sequence injection vulnerability in errors

https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/

Since original patch included in official announce dose not cleanly applied to
Ruby 2.4.5, use a local version which drop patch to none existing test.

Bump PKGREVISION.

diffstat:

 lang/ruby24-base/Makefile |  6 +++++-
 lang/ruby24-base/distinfo |  6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diffs (33 lines):

diff -r 80b191dd3b60 -r 0e6d3bb00ceb lang/ruby24-base/Makefile
--- a/lang/ruby24-base/Makefile Tue Mar 12 04:22:55 2019 +0000
+++ b/lang/ruby24-base/Makefile Tue Mar 12 04:23:45 2019 +0000
@@ -1,10 +1,14 @@
-# $NetBSD: Makefile,v 1.9 2018/07/17 10:56:24 jperkin Exp $
+# $NetBSD: Makefile,v 1.10 2019/03/12 04:23:45 taca Exp $
 
 DISTNAME=      ${RUBY_DISTNAME}
 PKGNAME=       ${RUBY_PKGPREFIX}-base-${RUBY_VERSION}
 CATEGORIES=    lang ruby
 MASTER_SITES=  ${MASTER_SITE_RUBY}
 
+# announced patch is failed to apply, so use local version.
+PATCHFILES=    ruby-2.4.5-rubygems.patch-20190311
+PATCH_SITES=   ${MASTER_SITE_LOCAL}
+
 MAINTAINER=    taca%NetBSD.org@localhost
 HOMEPAGE=      ${RUBY_HOMEPAGE}
 COMMENT=       Ruby ${RUBY_VERSION} release minimum base package
diff -r 80b191dd3b60 -r 0e6d3bb00ceb lang/ruby24-base/distinfo
--- a/lang/ruby24-base/distinfo Tue Mar 12 04:22:55 2019 +0000
+++ b/lang/ruby24-base/distinfo Tue Mar 12 04:23:45 2019 +0000
@@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.11 2019/01/03 05:19:03 taca Exp $
+$NetBSD: distinfo,v 1.12 2019/03/12 04:23:45 taca Exp $
 
+SHA1 (ruby-2.4.5-rubygems.patch-20190311) = 3205fcafc9ff8b76b1f0ae31a87c3847bc93e69d
+RMD160 (ruby-2.4.5-rubygems.patch-20190311) = 9748f8de0d57930522fd9d423d08fa938a7467f7
+SHA512 (ruby-2.4.5-rubygems.patch-20190311) = 4273fe6fbf9a27720a243453723ddb7d6e7268b7f4d6a0d65af72a06d712fa18552bafca676e4aae92dc057e86a0c1628e056d0475fa20e0f5b57364b8408c67
+Size (ruby-2.4.5-rubygems.patch-20190311) = 12191 bytes
 SHA1 (ruby-2.4.5.tar.xz) = b5be590b37487248da3a85541a62fb81f7f7e29a
 RMD160 (ruby-2.4.5.tar.xz) = b0704071c12223b416ca5bd52a52671376d8ad5c
 SHA512 (ruby-2.4.5.tar.xz) = 658f676c623109f4c7499615e191c98c3dd72cfcaeeaf121337d0b8a33c5243145edd50ec5e2775f988e3cd19788984f105fa165e3049779066566f67172c1b4



Home | Main Index | Thread Index | Old Index